Bit9 Hacked into, the Criminals Seize Code-signing Certificate

In a security breach against the computer networks belonging to Bit9 a security solutions supplier, cyber-criminals managed to access a code-signing certificate of the firm followed with using the same for endorsing malware, published softpedia.com dated February 9, 2013.

Security officials from Bit9 said that the hack was possible due to the firm's own lapse in loading security software onto several of its PCs.

According to Patrick Morley, Chief Executive Officer at Bit9, there hasn't been any sign regarding the breach as a consequence of a glitch in the firm's product. A probe into the incident reveals that there wasn't any compromise of the firm's product. It was just that the firm didn't adopt best practices it advised its own clients i.e. it didn't ensure its product was loaded onto each of the virtual and physical systems at Bit9, Morley explains. Softpedia.com published this.

And following unraveling of the computer hack, Bit9 stated that its researchers spotted 3 clients of its at least 1,000-strong customer-base whom malware had targeted and which was endorsed via a code-signing certificate whereby credentials were impacted.

However, one Bit9 Spokesman desisted from naming the victims, elucidating all that the malware was capable of during the attacks, alternatively stating whether the intruders were successful in causing damage to its customers. Ndtv.com published this dated February 11, 2013.

Earlier on February 8, 2013, Bit9 informed clients about the hack following which one client organization disclosed the information as a scoop for the media. Then Bit9, on 9th February 2013, posted a few additional particulars onto its website of which one was that the firm earlier disclosed the malevolent programs' cryptographic hashes to its clients.

Disturbingly, attackers have hacked into software security companies previously too in attempts to craftily gain admission into the data of their victims' customers. During March 2011, RSA a security company was attacked when criminals tried to steal information which let them violate RSA's security offered through its SecureID tokens. Again in March 2011, Comodo one Internet certification agency got so duped that it distributed certificates for renowned websites -Microsoft and Google- to an online scammer.